search for: pam_set_data

https://bugzilla.mindrot.org/show_bug.cgi?id=2548 Bug ID: 2548 Summary: Make pam_set_data/pam_get_data work with OpenSSH Product: Portable OpenSSH Version: 7.2p1 Hardware: Sparc OS: Solaris Status: NEW Severity: major Priority: P5 Component: PAM support Assignee: unassigned-bugs at mindrot...

Let me refine my previous question: > Can anyone provide some insight into why the auth-pam module uses a fork in > pthread_create (auth-pam.c)? This completely breaks the ability of one PAM function > to pass data to others via the pam_set_data/pam_get_data functions. Can anyone tell me how to #define USE_POSIX_THREADS when building --with-pam defined? The autoconfig stuff doesn't test for pthreads libraries, so by default you get threads simulated by Unix processes. Presumably there ought to be an "official" way to sp...

...04-03-30 12:42 ------- Here's my understanding of what's going on. Currently this is only known to affect Solaris, but it's possible the problem exists on other PAM-using systems. During pam_authenticate, the modules in question (pam_dhkeys, pam_krb5) stash some private data using the pam_set_data() calls. In the normal case, this data is present in a separate process (the "authentication thread") and is lost when that process exits after completing the authentication. Later, when pam_setcred is called to establish the process credentials (eg a PAG for AFS or the stored DH keys,...

Hello list, Bug 688 is causing me a massive headache on OS X. The fact that each PAM authentication takes place in a separate process means the PAM context data isn't shared and therefore prevents the passing of data between modules. (pam_set_data, and pam_get_data) Compiling with pthreads isn't really an option because of the added security risk and the fact that some of the PAM modules are not thread safe and would be troublesome to make thread safe. Storing the data in the environment really isn't an option, as it is sensitiv...

...void brute force dictionary attacks. It didn't work as I expected (but only for my ssh server). After some research I found out that the main thread in openssh creates another thread to authenticate the user. At the beginning of this thread the pam_abl module sets its own pam data with function pam_set_data. This module counts on that at the end of authentication those data are freed with given callback function. If the authentication was not successful, host and user are recorded in the database. However at the end of the thread which authenticates the user, the pam data are not explicitly freed (by...

...of user x. Right now I don't have any possibility to figure out which actual user has now logged in on behalf of user x. A solution to this problem is that OpenSSH makes the fingerprint of the key that has been (succesfully) used during public key authentication available within the PAM space (pam_set_data() / pam_putenv()). In this case one could hook in another PAM module e.g. for session management that obtains the fingerprint and work with it (e.g. mapping to user and making it available in user environment). -- You are receiving this mail because: You are watching the assignee of the bug.

Hello, I've developed a custom PAM module which only allows a user to authenticate to the server only if another user of the same machine also authenticates succesfully. It's currently a simple module which also works as a PAM aware application since it authenticates each user with PAM itself. Both the pamtester utility and su can use this module correctly. However, when I try to use

...he word thread is because of the next paragraph.) Now, if a system does not have POSIX thread support, it is simulated using processes (fork()). This works okay for the most part. Unfortunately, in the AFS PAM module, the pam_authenticate() routine saves some critical module-specific data (via the pam_set_data() routine) for use by the pam_setcred() routine later on. This is perfectly acceptable (in fact, it's provided for) in the PAM framework. When fork() is used to simulate threads, the data saved by pam_authenticate() is associated with the new process and is not available to the old process. Thu...

As many of you know, OpenSSH 3.7.X, unlike previous versions, makes PAM authentication take place in a separate process or thread (launched from sshpam_init_ctx() in auth-pam.c). By default (if you don't define USE_POSIX_THREADS) the code "fork"s a separate process. Or if you define USE_POSIX_THREADS it will create a new thread (a second one, in addition to the primary thread). The

...m_ldap.c:2761: error: `configFile' undeclared (first use in this function) pam_ldap.c:2777: error: `psession' undeclared (first use in this function) pam_ldap.c:2792: error: `PAM_BUF_ERR' undeclared (first use in this function) pam_ldap.c:2817: warning: implicit declaration of function `pam_set_data' pam_ldap.c: In function `_session_reopen': pam_ldap.c:2848: error: `PAM_SUCCESS' undeclared (first use in this function) pam_ldap.c: In function `_get_password_policy': pam_ldap.c:2855: error: `PAM_SUCCESS' undeclared (first use in this function) pam_ldap.c: At top level: pam_l...